1. Field of the Invention
The present invention relates generally to internet protocol security and, more particularly, to a method of generating internet protocol (IP) security tunnels that automatically generates filter rules used for screening data.
2. Description of the Related Art
Internet protocol (IP) security provides security to communications over the internet and within company networks (intranet). The security occurs at the IP protocol layer, thus allowing secure traffic for all application programs without having to make any modifications to the programs themselves. The security is accomplished by either filtering and/or tunneling packets of data.
Filtering is a function in which incoming and outgoing packets of data are accepted or denied based on certain properties. These properties include source and destination addresses, protocol, subnetwork mask, data type (e.g., TCP/IP (transmission control protocol/internet protocol) data or UDP (user datagram protocol) data etc.), port numbers, routing characteristics, tunnel definition etc. Using a filter, a system administrator may control traffic to and from a host computer. For example, employee confidential data may be allowed to be transmitted from host.sub.1 to host.sub.2 and not vice versa and host.sub.3 may be instructed to ignore such data from host.sub.1.
Tunneling, on the other hand, is the act of encapsulating or concealing the packets of data as they are traveling over the internet or a communication link. There are two aspects to data encapsulation. One aspect is authentication and the other is encryption. Authentication requires the receiving host to authenticate the data to ensure that the data did come from the transmitting host. Authentication also guarantees data integrity by using a key digest (akin to a checksum function) to disclose whether the packet arrived at its destination unaltered. Data that has to be authenticated is referenced with an authentication header (AH).
Encryption, as the name implies, provides confidentiality by encrypting the data to prevent it from being read by intervening hosts. The receiving host is able to decrypt the data with a key shared with the transmitting host. Data that has been encrypted is referenced with an encryption header (ESP--encapsulating security payload).
When defining a tunnel, a user can choose to encapsulate the entire data packet including IP headers or just the data itself. Encapsulation of only the data allows for faster processing as host systems do not have to decipher the headers to determine whether to transmit, relay, accept or reject the data packet. Encapsulation of only the data is ordinarily done when a trusted network is used.
Several steps are necessary in order to activate a tunnel. Specifically, four separate commands are used. One command is used to define the tunnel and another to define the filter rules associated with the tunnel. A third command is used to activate the filter and a fourth to activate the tunnel. (Note that using a tunnel necessitates the use of a filter, however, filtering data does not require that a tunnel be used.) Based on the foregoing, therefore, it is obvious that several options have to be set before a tunnel can be operational. This can be a very cumbersome and tedious task. The complexity of the task may be further exacerbated by mistakes and omissions. Any one of those mistakes or omissions may lead to the cessation of traffic to and from the host.
Consequently, there is a need in the art for a method of simplifying the process of activating a tunnel and thereby minimizing the chance of a system breakdown.